rpms/selinux-policy/devel policy-20071130.patch, 1.84, 1.85 selinux-policy.spec, 1.622, 1.623
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Feb 29 22:13:16 UTC 2008
- Previous message (by thread): rpms/e2fsprogs/devel e2fsprogs-1.40.7-swap-inode-full-fix.patch, NONE, 1.1 e2fsprogs.spec, 1.103, 1.104
- Next message (by thread): rpms/frysk/F-8 .cvsignore, 1.49, 1.50 frysk.spec, 1.123, 1.124 sources, 1.49, 1.50 frysk-0.0.1.2008.01.18.rh1-line-npe.patch, 1.1, NONE frysk-0.0.1.2008.01.18.rh1-no-sysroot.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14854
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Thu Feb 28 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-8
- Change httpd_$1_script_r*_t to httpd_$1_content_r*_t
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -r1.84 -r1.85
--- policy-20071130.patch 28 Feb 2008 21:51:10 -0000 1.84
+++ policy-20071130.patch 29 Feb 2008 22:13:08 -0000 1.85
@@ -736,6 +736,38 @@
endef
# create-base-per-role-tmpl modulenames,outputfile
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/httpd_selinux.8 serefpolicy-3.3.1/man/man8/httpd_selinux.8
+--- nsaserefpolicy/man/man8/httpd_selinux.8 2008-02-18 14:30:19.000000000 -0500
++++ serefpolicy-3.3.1/man/man8/httpd_selinux.8 2008-02-29 09:31:45.000000000 -0500
+@@ -22,23 +22,19 @@
+ .EX
+ httpd_sys_content_t
+ .EE
+-- Set files with httpd_sys_content_t for content which is available from all httpd scripts and the daemon.
++- Set files with httpd_sys_content_t for content which is available from all httpd sys scripts and the daemon.
+ .EX
+ httpd_sys_script_exec_t
+ .EE
+ - Set cgi scripts with httpd_sys_script_exec_t to allow them to run with access to all sys types.
+ .EX
+-httpd_sys_script_ro_t
++httpd_sys_content_rw_t
+ .EE
+-- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other non sys scripts from access.
++- Set files with httpd_sys_content_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
+ .EX
+-httpd_sys_script_rw_t
++httpd_sys_content_ra_t
+ .EE
+-- Set files with httpd_sys_script_rw_t if you want httpd_sys_script_exec_t scripts to read/write the data, and disallow other non sys scripts from access.
+-.EX
+-httpd_sys_script_ra_t
+-.EE
+-- Set files with httpd_sys_script_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
++- Set files with httpd_sys_content_ra_t if you want httpd_sys_script_exec_t scripts to read/append to the file, and disallow other non sys scripts from access.
+ .EX
+ httpd_unconfined_script_exec_t
+ .EE
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.3.1/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2008-02-15 09:52:54.000000000 -0500
+++ serefpolicy-3.3.1/policy/flask/access_vectors 2008-02-26 08:29:22.000000000 -0500
@@ -3222,7 +3254,7 @@
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.3.1/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-07-23 10:20:12.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/gpg.if 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/gpg.if 2008-02-29 17:00:38.000000000 -0500
@@ -38,6 +38,10 @@
gen_require(`
type gpg_exec_t, gpg_helper_exec_t;
@@ -3234,7 +3266,7 @@
')
########################################
-@@ -45,275 +49,56 @@
+@@ -45,275 +49,59 @@
# Declarations
#
@@ -3302,17 +3334,11 @@
-
- dev_read_rand($1_gpg_t)
- dev_read_urand($1_gpg_t)
-+ typealias gpg_agent_t alias $1_gpg_agent_t;
-+ role $3 types gpg_agent_t;
-
+-
- fs_getattr_xattr_fs($1_gpg_t)
-+ typealias gpg_helper_t alias $1_gpg_helper_t;
-+ role $3 types gpg_helper_t;
-
+-
- domain_use_interactive_fds($1_gpg_t)
-+ typealias gpg_pinentry_t alias $1_gpg_pinentry_t;
-+ role $3 types gpg_pinentry_t;
-
+-
- files_read_etc_files($1_gpg_t)
- files_read_usr_files($1_gpg_t)
- files_dontaudit_search_var($1_gpg_t)
@@ -3327,14 +3353,13 @@
- sysnet_read_config($1_gpg_t)
-
- userdom_use_user_terminals($1,$1_gpg_t)
--
++ typealias gpg_agent_t alias $1_gpg_agent_t;
++ role $3 types gpg_agent_t;
+
- optional_policy(`
- nis_use_ypbind($1_gpg_t)
-+ ifelse(`$1',`user',`',`
-+ typealias user_gpg_agent_tmp_t alias $1_gpg_agent_tmp_t;
-+ typealias user_gpg_secret_t alias $1_gpg_secret_t;
- ')
-
+- ')
+-
- ifdef(`TODO',`
- # Read content to encrypt/decrypt/sign
- read_content($1_gpg_t, $1)
@@ -3359,9 +3384,13 @@
- # communicate with the user
- allow $1_gpg_helper_t $2:fd use;
- allow $1_gpg_helper_t $2:fifo_file write;
--
++ typealias gpg_helper_t alias $1_gpg_helper_t;
++ role $3 types gpg_helper_t;
+
- dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
--
++ typealias gpg_pinentry_t alias $1_gpg_pinentry_t;
++ role $3 types gpg_pinentry_t;
+
- corenet_all_recvfrom_unlabeled($1_gpg_helper_t)
- corenet_all_recvfrom_netlabel($1_gpg_helper_t)
- corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
@@ -3393,8 +3422,11 @@
-
- tunable_policy(`use_samba_home_dirs',`
- fs_dontaudit_rw_cifs_files($1_gpg_helper_t)
-- ')
--
++ ifelse(`$1',`user',`',`
++ typealias user_gpg_agent_tmp_t alias $1_gpg_agent_tmp_t;
++ typealias user_gpg_secret_t alias $1_gpg_secret_t;
+ ')
+
- optional_policy(`
- xserver_use_xdm_fds($1_gpg_t)
- xserver_rw_xdm_pipes($1_gpg_t)
@@ -3404,25 +3436,27 @@
- #
- # GPG agent local policy
- #
--
-- # rlimit: gpg-agent wants to prevent coredumps
-- allow $1_gpg_agent_t self:process setrlimit;
+ # transition from the userdomain to the derived domain
+ domtrans_pattern($2,gpg_exec_t,gpg_t)
-- allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
-- allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms;
+- # rlimit: gpg-agent wants to prevent coredumps
+- allow $1_gpg_agent_t self:process setrlimit;
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, gpg_agent_exec_t, $1_gpg_agent_t)
+- allow $1_gpg_agent_t self:unix_stream_socket create_stream_socket_perms ;
+- allow $1_gpg_agent_t self:fifo_file rw_fifo_file_perms;
++ allow $2 gpg_t:process signal_perms;
+
- # read and write ~/.gnupg (gpg-agent stores secret keys in ~/.gnupg/private-keys-v1.d )
- manage_dirs_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
- manage_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
- manage_lnk_files_pattern($1_gpg_agent_t,$1_gpg_secret_t,$1_gpg_secret_t)
-+ allow $2 gpg_t:process signal_perms;
+ # Thunderbird leaks descriptors
+ dontaudit gpg_t $2:tcp_socket rw_socket_perms;
+ dontaudit gpg_t $2:udp_socket rw_socket_perms;
++ dontaudit gpg_helper_t $2:tcp_socket rw_socket_perms;
++ dontaudit gpg_helper_t $2:udp_socket rw_socket_perms;
- # allow gpg to connect to the gpg agent
- stream_connect_pattern($1_gpg_t,$1_gpg_agent_tmp_t,$1_gpg_agent_tmp_t,$1_gpg_agent_t)
@@ -6744,7 +6778,7 @@
type lvm_control_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.3.1/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/domain.te 2008-02-28 13:12:42.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/domain.te 2008-02-29 13:18:04.000000000 -0500
@@ -5,6 +5,13 @@
#
# Declarations
@@ -6943,7 +6977,7 @@
# etc_runtime_t is the type of various
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.3.1/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-24 15:00:24.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-02-26 16:54:33.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if 2008-02-29 09:10:51.000000000 -0500
@@ -310,6 +310,25 @@
########################################
@@ -7590,7 +7624,7 @@
# amavis local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-02-27 13:12:43.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-02-29 09:34:05.000000000 -0500
@@ -1,4 +1,4 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@@ -7617,7 +7651,7 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
++/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -7625,7 +7659,13 @@
/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -71,5 +73,16 @@
+@@ -66,10 +68,21 @@
+ /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
+ /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+
+-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
++/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
+ /var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -7636,16 +7676,21 @@
+#Bugzilla file context
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
-+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_script_rw_t,s0)
++/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0)
+#viewvc file context
-+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t, s0)
++/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t, s0)
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-02-27 17:47:47.000000000 -0500
-@@ -18,10 +18,6 @@
++++ serefpolicy-3.3.1/policy/modules/services/apache.if 2008-02-29 14:20:00.000000000 -0500
+@@ -13,21 +13,16 @@
+ #
+ template(`apache_content_template',`
+ gen_require(`
+- attribute httpdcontent;
+ attribute httpd_exec_scripts;
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
')
@@ -7654,28 +7699,92 @@
- gen_tunable(allow_httpd_$1_script_anon_write,false)
-
#This type is for webpages
- type httpd_$1_content_t, httpdcontent; # customizable
+- type httpd_$1_content_t, httpdcontent; # customizable
++ type httpd_$1_content_t;
files_type(httpd_$1_content_t)
-@@ -71,7 +67,7 @@
+
+ # This type is used for .htaccess files
+- type httpd_$1_htaccess_t; # customizable;
++ type httpd_$1_htaccess_t;
+ files_type(httpd_$1_htaccess_t)
+
+ # Type that CGI scripts run as
+@@ -42,20 +37,22 @@
+
+ # The following three are the only areas that
+ # scripts can read, read/write, or append to
+- type httpd_$1_script_ro_t, httpdcontent; # customizable
+- files_type(httpd_$1_script_ro_t)
++ typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
+
+- type httpd_$1_script_rw_t, httpdcontent; # customizable
+- files_type(httpd_$1_script_rw_t)
++ type httpd_$1_content_rw_t;
++ files_type(httpd_$1_content_rw_t)
++ typealias httpd_$1_content_rw_t alias httpd_$1_script_rw_t;
+
+- type httpd_$1_script_ra_t, httpdcontent; # customizable
+- files_type(httpd_$1_script_ra_t)
++ type httpd_$1_content_ra_t;
++ files_type(httpd_$1_content_ra_t)
++ typealias httpd_$1_content_ra_t alias httpd_$1_script_ra_t;
+
+- allow httpd_t httpd_$1_htaccess_t:file read_file_perms;
++ read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_htaccess_t)
+
+ domtrans_pattern(httpd_suexec_t, httpd_$1_script_exec_t, httpd_$1_script_t)
+
+- allow httpd_suexec_t { httpd_$1_content_t httpd_$1_script_ro_t httpd_$1_script_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
++ allow httpd_suexec_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
++ allow httpd_t { httpd_$1_content_t httpd_$1_content_rw_t httpd_$1_script_exec_t }:dir search_dir_perms;
+
+ allow httpd_$1_script_t self:fifo_file rw_file_perms;
+ allow httpd_$1_script_t self:unix_stream_socket connectto;
+@@ -65,29 +62,26 @@
+ dontaudit httpd_$1_script_t httpd_t:unix_stream_socket { read write };
+
+ # Allow the script process to search the cgi directory, and users directory
+- allow httpd_$1_script_t httpd_$1_content_t:dir search_dir_perms;
++ allow httpd_$1_script_t httpd_$1_content_t:dir list_dir_perms;
++ read_files_pattern(httpd_$1_script_t,httpd_$1_content_t,httpd_$1_content_t)
++ read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_content_t,httpd_$1_content_t)
+
+ append_files_pattern(httpd_$1_script_t,httpd_log_t,httpd_log_t)
logging_search_logs(httpd_$1_script_t)
can_exec(httpd_$1_script_t, httpd_$1_script_exec_t)
- allow httpd_$1_script_t httpd_$1_script_exec_t:dir search_dir_perms;
+ allow httpd_$1_script_t httpd_$1_script_exec_t:dir list_dir_perms;
- allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
- read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
-@@ -87,7 +83,8 @@
- manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
- manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
- manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+- allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
+- read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+- append_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+- read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+-
+- allow httpd_$1_script_t httpd_$1_script_ro_t:dir list_dir_perms;
+- read_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+- read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+-
+- manage_dirs_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+- manage_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+- manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+- manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+- manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
- files_tmp_filetrans(httpd_$1_script_t,httpd_$1_script_rw_t,{ dir file lnk_file sock_file fifo_file })
-+ read_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
-+ read_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
++ allow httpd_$1_script_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms };
++ read_files_pattern(httpd_$1_script_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t)
++ append_files_pattern(httpd_$1_script_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t)
++ read_lnk_files_pattern(httpd_$1_script_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t)
++
++ manage_dirs_pattern(httpd_$1_script_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++ manage_files_pattern(httpd_$1_script_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++ manage_lnk_files_pattern(httpd_$1_script_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++ manage_fifo_files_pattern(httpd_$1_script_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++ manage_sock_files_pattern(httpd_$1_script_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
-@@ -96,6 +93,7 @@
+@@ -96,6 +90,7 @@
dev_read_urand(httpd_$1_script_t)
corecmd_exec_all_executables(httpd_$1_script_t)
@@ -7683,18 +7792,55 @@
files_exec_etc_files(httpd_$1_script_t)
files_read_etc_files(httpd_$1_script_t)
-@@ -120,10 +118,6 @@
- can_exec(httpd_$1_script_t, httpdcontent)
- ')
+@@ -111,34 +106,21 @@
+ seutil_dontaudit_search_config(httpd_$1_script_t)
+
+- tunable_policy(`httpd_enable_cgi && httpd_unified',`
+- allow httpd_$1_script_t httpdcontent:file entrypoint;
+-
+- manage_dirs_pattern(httpd_$1_script_t,httpdcontent,httpdcontent)
+- manage_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent)
+- manage_lnk_files_pattern(httpd_$1_script_t,httpdcontent,httpdcontent)
+- can_exec(httpd_$1_script_t, httpdcontent)
+- ')
+-
- tunable_policy(`allow_httpd_$1_script_anon_write',`
- miscfiles_manage_public_files(httpd_$1_script_t)
- ')
-
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
- manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
-@@ -177,48 +171,6 @@
+- manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+- manage_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+- manage_lnk_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+- rw_sock_files_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+-
+- allow httpd_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
+- read_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+- append_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+- read_lnk_files_pattern(httpd_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
+-
+- allow httpd_t httpd_$1_script_ro_t:dir list_dir_perms;
+- read_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
+- read_lnk_files_pattern(httpd_t,httpd_$1_script_ro_t,httpd_$1_script_ro_t)
++ manage_dirs_pattern(httpd_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++ manage_files_pattern(httpd_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++ manage_lnk_files_pattern(httpd_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++ rw_sock_files_pattern(httpd_t,httpd_$1_content_rw_t,httpd_$1_content_rw_t)
++
++ allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms add_entry_dir_perms };
++ read_files_pattern(httpd_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t)
++ append_files_pattern(httpd_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t)
++ read_lnk_files_pattern(httpd_t,httpd_$1_content_ra_t,httpd_$1_content_ra_t)
++
++ allow httpd_t httpd_$1_content_t:dir list_dir_perms;
++ read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
++ read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
+
+ allow httpd_t httpd_$1_content_t:dir list_dir_perms;
+ read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
+@@ -177,48 +159,6 @@
miscfiles_read_localization(httpd_$1_script_t)
')
@@ -7743,7 +7889,7 @@
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
-@@ -265,72 +217,79 @@
+@@ -265,72 +205,77 @@
template(`apache_per_role_template', `
gen_require(`
attribute httpdcontent, httpd_script_domains;
@@ -7754,19 +7900,19 @@
+ type httpd_t, httpd_suexec_t, httpd_log_t, httpd_sys_script_t;
+ type httpd_user_content_t;
+ type httpd_user_script_t;
-+ type httpd_user_script_ra_t;
-+ type httpd_user_script_rw_t;
-+ type httpd_user_script_ro_t;
++ type httpd_user_content_ra_t;
++ type httpd_user_content_rw_t;
++ type httpd_user_content_t;
+ type httpd_user_script_exec_t;
+ type httpd_user_htaccess_t;
+ ')
+
+
+ ifelse(`$1',`user',`',`
-+ typealias httpd_user_content_t alias httpd_$1_content_t;
-+ typealias httpd_user_script_ra_t alias httpd_$1_script_ra_t;
-+ typealias httpd_user_script_rw_t alias httpd_$1_script_rw_t;
-+ typealias httpd_user_script_ro_t alias httpd_$1_script_ro_t;
++ typealias httpd_user_content_t alias httpd_$1_script_t;
++ typealias httpd_user_content_ra_t alias httpd_$1_script_ra_t;
++ typealias httpd_user_content_rw_t alias httpd_$1_script_rw_t;
++ typealias httpd_user_content_t alias httpd_$1_script_ro_t;
+ typealias httpd_user_script_exec_t alias httpd_$1_script_exec_t;
+ typealias httpd_user_htaccess_t alias httpd_$1_htaccess_t;
')
@@ -7821,26 +7967,26 @@
+
+ allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
+
-+ manage_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
-+ manage_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
-+ manage_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
-+ relabel_dirs_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
-+ relabel_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
-+ relabel_lnk_files_pattern($2,httpd_user_script_ra_t,httpd_user_script_ra_t)
-+
-+ manage_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
-+ manage_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
-+ manage_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
-+ relabel_dirs_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
-+ relabel_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
-+ relabel_lnk_files_pattern($2,httpd_user_script_ro_t,httpd_user_script_ro_t)
-+
-+ manage_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
-+ manage_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
-+ manage_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
-+ relabel_dirs_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
-+ relabel_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
-+ relabel_lnk_files_pattern($2,httpd_user_script_rw_t,httpd_user_script_rw_t)
++ manage_dirs_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t)
++ manage_files_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t)
++ manage_lnk_files_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t)
++ relabel_dirs_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t)
++ relabel_files_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t)
++ relabel_lnk_files_pattern($2,httpd_user_content_ra_t,httpd_user_content_ra_t)
++
++ manage_dirs_pattern($2,httpd_user_content_t,httpd_user_content_t)
++ manage_files_pattern($2,httpd_user_content_t,httpd_user_content_t)
++ manage_lnk_files_pattern($2,httpd_user_content_t,httpd_user_content_t)
++ relabel_dirs_pattern($2,httpd_user_content_t,httpd_user_content_t)
++ relabel_files_pattern($2,httpd_user_content_t,httpd_user_content_t)
++ relabel_lnk_files_pattern($2,httpd_user_content_t,httpd_user_content_t)
++
++ manage_dirs_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t)
++ manage_files_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t)
++ manage_lnk_files_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t)
++ relabel_dirs_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t)
++ relabel_files_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t)
++ relabel_lnk_files_pattern($2,httpd_user_content_rw_t,httpd_user_content_rw_t)
+
+ manage_dirs_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
+ manage_files_pattern($2,httpd_user_script_exec_t,httpd_user_script_exec_t)
@@ -7857,10 +8003,9 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
- allow httpd_$1_script_t httpdcontent:file entrypoint;
-+ allow httpd_user_script_t httpdcontent:file entrypoint;
-
+-
- domtrans_pattern($2, httpdcontent, httpd_$1_script_t)
-+ domtrans_pattern($2, httpdcontent, httpd_user_script_t)
++ can_exec(httpd_user_script_t, httpd_user_content_t)
')
# allow accessing files/dirs below the users home dir
@@ -7875,7 +8020,7 @@
')
')
-@@ -352,12 +311,11 @@
+@@ -352,12 +297,11 @@
#
template(`apache_read_user_scripts',`
gen_require(`
@@ -7892,7 +8037,7 @@
')
########################################
-@@ -378,12 +336,12 @@
+@@ -378,12 +322,12 @@
#
template(`apache_read_user_content',`
gen_require(`
@@ -7909,7 +8054,7 @@
')
########################################
-@@ -761,6 +719,7 @@
+@@ -761,6 +705,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -7917,18 +8062,26 @@
')
########################################
-@@ -845,6 +804,10 @@
+@@ -841,12 +786,16 @@
+ # sysadm_t to run scripts
+ interface(`apache_domtrans_sys_script',`
+ gen_require(`
+- attribute httpdcontent;
type httpd_sys_script_t;
- ')
-
-+ tunable_policy(`httpd_enable_cgi',`
-+ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
++ type httpd_sys_content_t;
+ ')
+
++ tunable_policy(`httpd_enable_cgi',`
++ domtrans_pattern($1, httpd_sys_script_exec_t, httpd_sys_script_t)
+ ')
+
tunable_policy(`httpd_enable_cgi && httpd_unified',`
- domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
+- domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
++ domtrans_pattern($1, httpd_sys_content_t, httpd_sys_script_t)
')
-@@ -932,7 +895,7 @@
+ ')
+
+@@ -932,7 +881,7 @@
type httpd_squirrelmail_t;
')
@@ -7937,7 +8090,7 @@
')
########################################
-@@ -1023,16 +986,16 @@
+@@ -1023,16 +972,16 @@
#
interface(`apache_manage_all_user_content',`
gen_require(`
@@ -7961,7 +8114,7 @@
')
########################################
-@@ -1088,3 +1051,133 @@
+@@ -1088,3 +1037,133 @@
allow httpd_t $1:process signal;
')
@@ -8097,7 +8250,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-02-28 16:49:32.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-02-29 13:36:51.000000000 -0500
@@ -20,6 +20,8 @@
# Declarations
#
@@ -8193,7 +8346,17 @@
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
-@@ -202,12 +233,16 @@
+@@ -180,6 +211,9 @@
+
+ # setup the system domain for system CGI scripts
+ apache_content_template(sys)
++typeattribute httpd_sys_content_t httpdcontent; # customizable
++typeattribute httpd_sys_content_rw_t httpdcontent; # customizable
++typeattribute httpd_sys_content_ra_t httpdcontent; # customizable
+
+ type httpd_tmp_t;
+ files_tmp_file(httpd_tmp_t)
+@@ -202,12 +236,16 @@
prelink_object_file(httpd_modules_t)
')
@@ -8211,7 +8374,7 @@
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow httpd_t self:fd use;
-@@ -249,6 +284,7 @@
+@@ -249,6 +287,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -8219,7 +8382,7 @@
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -289,6 +325,7 @@
+@@ -289,6 +328,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -8227,7 +8390,7 @@
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -315,9 +352,7 @@
+@@ -315,9 +355,7 @@
auth_use_nsswitch(httpd_t)
@@ -8238,18 +8401,18 @@
domain_use_interactive_fds(httpd_t)
-@@ -335,6 +370,10 @@
+@@ -335,6 +373,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
+# php uploads a file to /tmp and then execs programs to acton them
+manage_dirs_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
+manage_files_pattern(httpd_sys_script_t,httpd_tmp_t,httpd_tmp_t)
-+files_tmp_filetrans(httpd_sys_script_t,httpd_sys_script_rw_t,{ dir file lnk_file sock_file fifo_file })
++files_tmp_filetrans(httpd_sys_script_t,httpd_sys_content_rw_t,{ dir file lnk_file sock_file fifo_file })
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -351,25 +390,38 @@
+@@ -351,25 +393,38 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -8293,18 +8456,35 @@
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,6 +434,10 @@
+@@ -382,12 +437,22 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
+-tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
++tunable_policy(`httpd_enable_cgi && httpd_unified',`
++ allow httpd_sys_script_t httpd_sys_content_t:file entrypoint;
++ filetrans_pattern(httpd_sys_script_t,httpd_sys_content_t,httpd_sys_content_rw_t, { file dir lnk_file })
++ can_exec(httpd_sys_script_t, httpd_sys_content_t)
++')
++
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
+')
-+
- tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
- domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -399,11 +455,21 @@
+- manage_dirs_pattern(httpd_t,httpdcontent,httpdcontent)
+- manage_files_pattern(httpd_t,httpdcontent,httpdcontent)
+- manage_lnk_files_pattern(httpd_t,httpdcontent,httpdcontent)
++tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
++ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t)
++ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
++ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
++ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
++ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
+ ')
+
+ tunable_policy(`httpd_enable_ftp_server',`
+@@ -399,11 +464,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -8326,7 +8506,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -437,8 +503,14 @@
+@@ -437,8 +512,14 @@
')
optional_policy(`
@@ -8342,7 +8522,7 @@
')
optional_policy(`
-@@ -450,19 +522,13 @@
+@@ -450,19 +531,13 @@
')
optional_policy(`
@@ -8363,7 +8543,7 @@
')
optional_policy(`
-@@ -472,13 +538,14 @@
+@@ -472,13 +547,14 @@
openca_kill(httpd_t)
')
@@ -8382,7 +8562,7 @@
')
optional_policy(`
-@@ -486,6 +553,7 @@
+@@ -486,6 +562,7 @@
')
optional_policy(`
@@ -8390,7 +8570,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -521,6 +589,19 @@
+@@ -521,6 +598,19 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@@ -8410,7 +8590,7 @@
########################################
#
# Apache PHP script local policy
-@@ -550,18 +631,24 @@
+@@ -550,18 +640,24 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -8438,7 +8618,7 @@
')
########################################
-@@ -585,6 +672,8 @@
+@@ -585,6 +681,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -8447,7 +8627,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +682,7 @@
+@@ -593,9 +691,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -8458,7 +8638,7 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +715,7 @@
+@@ -628,6 +724,7 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -8466,7 +8646,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -638,6 +726,12 @@
+@@ -638,6 +735,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -8479,7 +8659,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +749,6 @@
+@@ -655,10 +758,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -8490,7 +8670,7 @@
########################################
#
# Apache system script local policy
-@@ -668,7 +758,8 @@
+@@ -668,7 +767,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -8500,7 +8680,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +773,44 @@
+@@ -682,15 +782,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -8546,7 +8726,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -700,9 +820,15 @@
+@@ -700,9 +829,15 @@
clamav_domtrans_clamscan(httpd_sys_script_t)
')
@@ -8562,7 +8742,7 @@
')
########################################
-@@ -724,3 +850,46 @@
+@@ -724,3 +859,46 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -9951,7 +10131,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.3.1/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/clamav.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/clamav.te 2008-02-29 09:36:56.000000000 -0500
@@ -48,6 +48,9 @@
type freshclam_var_log_t;
logging_log_file(freshclam_var_log_t)
@@ -9962,15 +10142,17 @@
########################################
#
# clamd local policy
-@@ -87,6 +90,7 @@
+@@ -87,6 +90,9 @@
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
+kernel_read_system_state(clamd_t)
++
++corecmd_search_bin(clamd_t)
corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
-@@ -120,6 +124,8 @@
+@@ -120,6 +126,8 @@
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)
@@ -9979,7 +10161,7 @@
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
-@@ -127,6 +133,10 @@
+@@ -127,6 +135,10 @@
amavis_create_pid_files(clamd_t)
')
@@ -9990,7 +10172,7 @@
########################################
#
# Freshclam local policy
-@@ -233,3 +243,7 @@
+@@ -233,3 +245,7 @@
optional_policy(`
apache_read_sys_content(clamscan_t)
')
@@ -20565,7 +20747,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.3.1/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/setroubleshoot.te 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/setroubleshoot.te 2008-02-29 09:09:42.000000000 -0500
@@ -22,13 +22,16 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
@@ -20595,7 +20777,7 @@
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-@@ -68,16 +73,21 @@
+@@ -68,16 +73,23 @@
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
@@ -20615,10 +20797,12 @@
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
+fs_read_fusefs_symlinks(setroubleshootd_t)
++fs_dontaudit_read_nfs_files(setroubleshootd_t)
++fs_dontaudit_read_cifs_files(setroubleshootd_t)
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -97,19 +107,20 @@
+@@ -97,19 +109,20 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -22717,7 +22901,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-28 09:30:18.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-02-29 17:12:34.000000000 -0500
@@ -15,6 +15,11 @@
template(`xserver_common_domain_template',`
gen_require(`
@@ -22839,7 +23023,7 @@
+
+ allow $1_xserver_t input_xevent_t:x_event send;
+ allow $1_xserver_t x_rootwindow_t:x_drawable send;
-+ allow $1_xserver_t $1_input_xevent_t:x_event send;
++ allow $1_xserver_t xdm_input_xevent_t:x_event send;
+ allow $1_xserver_t $1_t:x_drawable send;
+
+ ',`
@@ -23113,29 +23297,29 @@
+ optional_policy(`
+ xserver_read_user_iceauth($1, $2)
+ ')
-+
+
+- libs_use_ld_so($1_iceauth_t)
+- libs_use_shared_libs($1_iceauth_t)
+ ##############################
+ #
+ # User X object manager local policy
+ #
-- libs_use_ld_so($1_iceauth_t)
-- libs_use_shared_libs($1_iceauth_t)
+- userdom_use_user_terminals($1,$1_iceauth_t)
+ # Device rules
+ allow xdm_x_domain $2:x_device { getattr setattr setfocus grab bell };
-- userdom_use_user_terminals($1,$1_iceauth_t)
-+ allow $2 { input_xevent_t xdm_input_xevent_type }:x_event send;
-+ allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_files($1_iceauth_t)
- ')
-+ mls_xwin_read_to_clearance($2)
++ allow $2 { input_xevent_t xdm_input_xevent_type }:x_event send;
++ allow $2 { x_rootwindow_t xdm_x_domain }:x_drawable send;
- tunable_policy(`use_samba_home_dirs',`
- fs_manage_cifs_files($1_iceauth_t)
- ')
++ mls_xwin_read_to_clearance($2)
++
+ xserver_user_x_domain_template($1,$1_t,$1_t,$1_tmpfs_t)
')
@@ -23168,7 +23352,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -542,25 +539,364 @@
+@@ -542,25 +539,382 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -23267,7 +23451,6 @@
+ attribute x_server_domain, x_domain;
+ attribute xproperty_type;
+ attribute xevent_type, xextension_type;
-+ attribute $1_x_domain, $1_input_xevent_type;
+ class x_drawable all_x_drawable_perms;
+ class x_screen all_x_screen_perms;
+ class x_gc all_x_gc_perms;
@@ -23283,6 +23466,9 @@
+ class x_resource all_x_resource_perms;
+ class x_event all_x_event_perms;
+ class x_synthetic_event all_x_synthetic_event_perms;
++
++ attribute xdm_x_domain, xdm_input_xevent_type;
++ type xdm_t;
+ ')
+
+ ##############################
@@ -23291,13 +23477,13 @@
+ #
+
+ # Type attributes
-+ typeattribute $3 $1_x_domain, x_domain;
++ typeattribute $2_t xdm_x_domain, x_domain;
+
+ # Types for properties
+ type $2_default_xproperty_t, xproperty_type;
+
+ # Types for events
-+ type $2_input_xevent_t, $1_input_xevent_type, xevent_type;
++ type $2_input_xevent_t, xdm_input_xevent_type, xevent_type;
+ type $2_property_xevent_t, xevent_type;
+ type $2_focus_xevent_t, xevent_type;
+ type $2_manage_xevent_t, xevent_type;
@@ -23312,7 +23498,7 @@
+ # Hacks
+ # everyone can get the input focus of everyone else
+ # this is a fundamental brokenness in the X protocol
-+ allow $3 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell manage freeze getattr grab };
++ allow $3 { x_domain x_server_domain }:x_device { getfocus setfocus use setattr bell manage freeze getattr grab force_cursor };
+ tunable_policy(`allow_read_x_device',`
+ allow $3 { x_domain x_server_domain }:x_device read;
+ ')
@@ -23325,7 +23511,7 @@
+ allow $3 x_server_domain:x_server { getattr manage };
+ # everyone can do override-redirect windows.
+ # this could be used to spoof labels
-+ allow $3 self:x_drawable override;
++ allow $3 $3:x_drawable override;
+ # everyone can receive management events on the root window
+ # allows to know when new windows appear, among other things
+ allow $3 manage_xevent_t:x_event receive;
@@ -23334,7 +23520,7 @@
+ # can read server-owned resources
+ allow $3 x_server_domain:x_resource read;
+ # can mess with own clients
-+ allow $3 self:x_client { manage destroy };
++ allow $3 $3:x_client { manage destroy };
+
+ # X Protocol Extensions
+ allow $3 std_xext_t:x_extension { query use };
@@ -23344,12 +23530,15 @@
+ # X Properties
+ # can read and write client properties
+ allow $3 $2_default_xproperty_t:x_property { create destroy read write };
++ allow $1_t $2_default_xproperty_t:x_property { read };
++
+ allow $3 default_xproperty_t:x_property read;
++
+ allow $3 output_xext_t:x_extension use;
+
+ allow $3 xdm_default_xproperty_t:x_property { write read };
+
-+ type_transition $3 default_xproperty_t:x_property $2_default_xproperty_t;
++ type_transition $2_t default_xproperty_t:x_property $2_default_xproperty_t;
+ # can read and write cut buffers
+ allow $3 clipboard_xproperty_t:x_property { create read write };
+ # can read/write info properties
@@ -23358,15 +23547,15 @@
+ # can change properties of root window
+ allow $3 x_rootwindow_t:x_drawable { list_property get_property set_property };
+ # can change properties of own windows
-+ allow $3 self:x_drawable { list_property get_property set_property };
++ allow $3 $3:x_drawable { list_property get_property set_property };
+
+ # X Windows
+ # operations allowed on root windows
+ allow $3 x_rootwindow_t:x_drawable { getattr list_child add_child remove_child send receive read write manage setattr show };
+
+ # operations allowed on my windows
-+ allow $3 self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
-+ type_transition $3 x_rootwindow_t:x_drawable $3;
++ allow $3 $3:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
++ type_transition $2_t x_rootwindow_t:x_drawable $2_t;
+
+ # X Colormaps
+ # can use the default colormap
@@ -23378,21 +23567,32 @@
+ # X Input
+ # can receive own events
+ allow $3 $2_input_xevent_t:{ x_event x_synthetic_event } receive;
++ allow $3 input_xevent_t:{ x_event x_synthetic_event } receive;
++ allow $1_t $2_input_xevent_t:{ x_event x_synthetic_event } receive;
++
+ allow $3 $2_property_xevent_t:{ x_event x_synthetic_event } receive;
++ allow $1_t $2_property_xevent_t:{ x_event x_synthetic_event } receive;
++
+ allow $3 $2_focus_xevent_t:{ x_event x_synthetic_event } receive;
++ allow $1_t $2_focus_xevent_t:{ x_event x_synthetic_event } receive;
++
+ allow $3 $2_manage_xevent_t:{ x_event x_synthetic_event } receive;
++ allow $1_t $2_manage_xevent_t:{ x_event x_synthetic_event } { send receive };
++
+ allow $3 $2_default_xevent_t:{ x_event x_synthetic_event } receive;
-+ allow $3 $2_client_xevent_t:{ x_event x_synthetic_event } receive;
-+ allow $3 $2_client_xevent_t:x_synthetic_event send;
-+ type_transition $3 input_xevent_t:x_event $2_input_xevent_t;
-+ type_transition $3 property_xevent_t:x_event $2_property_xevent_t;
-+ type_transition $3 focus_xevent_t:x_event $2_focus_xevent_t;
-+ type_transition $3 manage_xevent_t:x_event $2_manage_xevent_t;
-+ type_transition $3 default_xevent_t:x_event $2_default_xevent_t;
++ allow $1_t $2_default_xevent_t:{ x_event x_synthetic_event } receive;
++
++ allow $3 $2_client_xevent_t:{ x_event x_synthetic_event } { send receive };
++ allow $1_t $2_client_xevent_t:{ x_event x_synthetic_event } { send };
++ type_transition $2_t input_xevent_t:x_event $2_input_xevent_t;
++ type_transition $2_t property_xevent_t:x_event $2_property_xevent_t;
++ type_transition $2_t focus_xevent_t:x_event $2_focus_xevent_t;
++ type_transition $2_t manage_xevent_t:x_event $2_manage_xevent_t;
++ type_transition $2_t default_xevent_t:x_event $2_default_xevent_t;
+
+ allow $3 default_xevent_t:x_event receive;
+
-+ type_transition $3 client_xevent_t:x_event $2_client_xevent_t;
++ type_transition $2_t client_xevent_t:x_event $2_client_xevent_t;
+ # can receive certain root window events
+ allow $3 focus_xevent_t:x_event receive;
+ allow $3 property_xevent_t:x_event receive;
@@ -23412,13 +23612,13 @@
+
+ # Other X Objects
+ # can create and use cursors
-+ allow $3 self:x_cursor *;
++ allow $3 $3:x_cursor *;
+ # can create and use graphics contexts
-+ allow $3 self:x_gc *;
++ allow $3 $3:x_gc *;
+ # can create and use colormaps
-+ allow $3 self:x_colormap *;
++ allow $3 $3:x_colormap *;
+ # can read and write own objects
-+ allow $3 self:x_resource { read write };
++ allow $3 $3:x_resource { read write };
+
+ allow $3 screensaver_xext_t:x_extension use;
+ allow $3 unknown_xext_t:x_extension use;
@@ -23453,9 +23653,11 @@
+ allow $3 xevent_type:{ x_event x_synthetic_event } *;
+ ')
+
++ allow $3 xdm_t:x_client destroy;
++ allow $3 xdm_t:x_drawable { receive get_property getattr list_child };
+
-+ allow xdm_xserver_t $2_input_xevent_t:x_event send;
-+ allow xdm_xserver_t $3:x_drawable send;
++ allow x_server_domain $2_input_xevent_t:x_event send;
++ allow x_xserver_domain $3:x_drawable send;
+')
+
+#######################################
@@ -23495,7 +23697,7 @@
+
+ allow $3 self:shm create_shm_perms;
+ allow $3 self:unix_dgram_socket create_socket_perms;
-+ allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
++ allow $3 $3:unix_stream_socket { connectto create_stream_socket_perms };
+
+ # Read .Xauthority file
+ allow $3 user_xauth_home_t:file { getattr read };
@@ -23524,7 +23726,7 @@
+ xserver_read_xdm_tmp_files($3)
+
+ # X object manager
-+ xserver_common_x_domain_template(xdm,$2,$3)
++ xserver_common_x_domain_template($1,$2,$3)
+
+ userdom_search_user_home_dirs($1,$3)
+ userdom_manage_user_home_content_dirs($1, xdm_t)
@@ -23539,7 +23741,7 @@
')
')
-@@ -593,26 +929,44 @@
+@@ -593,26 +947,44 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
@@ -23591,7 +23793,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -638,10 +992,77 @@
+@@ -638,10 +1010,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
@@ -23671,7 +23873,7 @@
')
########################################
-@@ -671,10 +1092,10 @@
+@@ -671,10 +1110,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -23684,7 +23886,7 @@
')
########################################
-@@ -760,7 +1181,7 @@
+@@ -760,7 +1199,7 @@
type xconsole_device_t;
')
@@ -23693,7 +23895,7 @@
')
########################################
-@@ -860,6 +1281,25 @@
+@@ -860,6 +1299,25 @@
########################################
## <summary>
@@ -23719,7 +23921,7 @@
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
-@@ -914,6 +1354,7 @@
+@@ -914,6 +1372,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -23727,7 +23929,7 @@
')
########################################
-@@ -955,6 +1396,24 @@
+@@ -955,6 +1414,24 @@
########################################
## <summary>
@@ -23752,7 +23954,7 @@
## Execute the X server in the XDM X server domain.
## </summary>
## <param name="domain">
-@@ -965,15 +1424,47 @@
+@@ -965,15 +1442,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -23801,7 +24003,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1123,7 +1614,7 @@
+@@ -1123,7 +1632,7 @@
type xdm_xserver_tmp_t;
')
@@ -23810,7 +24012,7 @@
')
########################################
-@@ -1312,3 +1803,108 @@
+@@ -1312,3 +1821,108 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -26554,14 +26756,15 @@
#################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.3.1/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/mount.fc 2008-02-26 08:29:22.000000000 -0500
-@@ -1,4 +1,5 @@
++++ serefpolicy-3.3.1/policy/modules/system/mount.fc 2008-02-29 16:11:11.000000000 -0500
+@@ -1,4 +1,6 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
++/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.3.1/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2008-02-06 10:33:22.000000000 -0500
@@ -28572,7 +28775,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-02-27 13:18:26.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-02-29 16:26:11.000000000 -0500
@@ -29,9 +29,14 @@
')
@@ -29089,7 +29292,7 @@
- xserver_xsession_entry_type($1_t)
- xserver_dontaudit_write_log($1_t)
- xserver_stream_connect_xdm($1_t)
-+ xserver_user_x_domain_template($1,$1,$1_t, $1_tmpfs_t)
++ xserver_user_x_domain_template($1,$1,$1_usertype, $1_tmpfs_t)
+ xserver_xsession_entry_type($1_usertype)
+ xserver_dontaudit_write_log($1_usertype)
+ xserver_stream_connect_xdm($1_usertype)
@@ -29659,11 +29862,15 @@
')
# Run pppd in pppd_t by default for user
-@@ -1207,7 +1208,23 @@
+@@ -1207,7 +1208,27 @@
')
optional_policy(`
- setroubleshoot_stream_connect($1_t)
++ mount_run($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
++ ')
++
++ optional_policy(`
+ nsplugin_per_role_template($1, $1_usertype, $1_r)
+ ')
+
@@ -29684,7 +29891,7 @@
')
')
-@@ -1284,8 +1301,6 @@
+@@ -1284,8 +1305,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -29693,7 +29900,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1363,13 +1378,6 @@
+@@ -1363,13 +1382,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -29707,7 +29914,7 @@
optional_policy(`
userhelper_exec($1_t)
')
-@@ -1422,6 +1430,7 @@
+@@ -1422,6 +1434,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -29715,7 +29922,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1787,10 +1796,14 @@
+@@ -1787,10 +1800,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -29731,7 +29938,7 @@
')
########################################
-@@ -1886,11 +1899,11 @@
+@@ -1886,11 +1903,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -29745,7 +29952,7 @@
')
########################################
-@@ -1920,11 +1933,11 @@
+@@ -1920,11 +1937,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -29759,7 +29966,7 @@
')
########################################
-@@ -1968,12 +1981,12 @@
+@@ -1968,12 +1985,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -29775,7 +29982,7 @@
')
########################################
-@@ -2003,10 +2016,10 @@
+@@ -2003,10 +2020,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -29788,7 +29995,7 @@
')
########################################
-@@ -2038,11 +2051,47 @@
+@@ -2038,11 +2055,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -29838,7 +30045,7 @@
')
########################################
-@@ -2074,10 +2123,10 @@
+@@ -2074,10 +2127,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -29851,7 +30058,7 @@
')
########################################
-@@ -2107,11 +2156,11 @@
+@@ -2107,11 +2160,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -29865,7 +30072,7 @@
')
########################################
-@@ -2141,11 +2190,11 @@
+@@ -2141,11 +2194,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -29880,7 +30087,7 @@
')
########################################
-@@ -2175,10 +2224,14 @@
+@@ -2175,10 +2228,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -29897,7 +30104,7 @@
')
########################################
-@@ -2208,11 +2261,11 @@
+@@ -2208,11 +2265,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -29911,7 +30118,7 @@
')
########################################
-@@ -2242,11 +2295,11 @@
+@@ -2242,11 +2299,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -29925,7 +30132,7 @@
')
########################################
-@@ -2276,10 +2329,10 @@
+@@ -2276,10 +2333,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -29938,7 +30145,7 @@
')
########################################
-@@ -2311,12 +2364,12 @@
+@@ -2311,12 +2368,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -29954,7 +30161,7 @@
')
########################################
-@@ -2348,10 +2401,10 @@
+@@ -2348,10 +2405,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -29967,7 +30174,7 @@
')
########################################
-@@ -2383,12 +2436,12 @@
+@@ -2383,12 +2440,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -29983,7 +30190,7 @@
')
########################################
-@@ -2420,12 +2473,12 @@
+@@ -2420,12 +2477,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -29999,7 +30206,7 @@
')
########################################
-@@ -2457,12 +2510,12 @@
+@@ -2457,12 +2514,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -30015,7 +30222,7 @@
')
########################################
-@@ -2507,11 +2560,11 @@
+@@ -2507,11 +2564,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -30029,7 +30236,7 @@
')
########################################
-@@ -2556,11 +2609,11 @@
+@@ -2556,11 +2613,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -30043,7 +30250,7 @@
')
########################################
-@@ -2600,11 +2653,11 @@
+@@ -2600,11 +2657,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -30057,7 +30264,7 @@
')
########################################
-@@ -2634,11 +2687,11 @@
+@@ -2634,11 +2691,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -30071,7 +30278,7 @@
')
########################################
-@@ -2668,11 +2721,11 @@
+@@ -2668,11 +2725,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -30085,7 +30292,7 @@
')
########################################
-@@ -2704,10 +2757,10 @@
+@@ -2704,10 +2761,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -30098,7 +30305,7 @@
')
########################################
-@@ -2739,10 +2792,10 @@
+@@ -2739,10 +2796,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -30111,7 +30318,7 @@
')
########################################
-@@ -2772,12 +2825,12 @@
+@@ -2772,12 +2829,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -30127,7 +30334,7 @@
')
########################################
-@@ -2809,10 +2862,10 @@
+@@ -2809,10 +2866,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -30140,7 +30347,7 @@
')
########################################
-@@ -2844,10 +2897,48 @@
+@@ -2844,10 +2901,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -30191,7 +30398,7 @@
')
########################################
-@@ -2877,12 +2968,12 @@
+@@ -2877,12 +2972,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -30207,7 +30414,7 @@
')
########################################
-@@ -2914,10 +3005,10 @@
+@@ -2914,10 +3009,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -30220,7 +30427,7 @@
')
########################################
-@@ -2949,12 +3040,12 @@
+@@ -2949,12 +3044,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -30236,7 +30443,7 @@
')
########################################
-@@ -2986,11 +3077,11 @@
+@@ -2986,11 +3081,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -30250,7 +30457,7 @@
')
########################################
-@@ -3022,11 +3113,11 @@
+@@ -3022,11 +3117,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -30264,7 +30471,7 @@
')
########################################
-@@ -3058,11 +3149,11 @@
+@@ -3058,11 +3153,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -30278,7 +30485,7 @@
')
########################################
-@@ -3094,11 +3185,11 @@
+@@ -3094,11 +3189,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -30292,7 +30499,7 @@
')
########################################
-@@ -3130,11 +3221,11 @@
+@@ -3130,11 +3225,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -30306,7 +30513,7 @@
')
########################################
-@@ -3179,10 +3270,10 @@
+@@ -3179,10 +3274,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -30319,7 +30526,7 @@
files_search_tmp($2)
')
-@@ -3223,10 +3314,10 @@
+@@ -3223,10 +3318,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -30332,7 +30539,7 @@
')
########################################
-@@ -3254,6 +3345,42 @@
+@@ -3254,6 +3349,42 @@
## </summary>
## </param>
#
@@ -30375,7 +30582,7 @@
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
-@@ -4231,11 +4358,11 @@
+@@ -4231,11 +4362,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -30389,7 +30596,7 @@
')
########################################
-@@ -4251,10 +4378,10 @@
+@@ -4251,10 +4382,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -30402,7 +30609,7 @@
')
########################################
-@@ -4270,11 +4397,11 @@
+@@ -4270,11 +4401,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -30416,7 +30623,7 @@
')
########################################
-@@ -4289,16 +4416,16 @@
+@@ -4289,16 +4420,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -30436,7 +30643,7 @@
## users home directory.
## </summary>
## <param name="domain">
-@@ -4307,12 +4434,27 @@
+@@ -4307,12 +4438,27 @@
## </summary>
## </param>
#
@@ -30467,7 +30674,7 @@
')
########################################
-@@ -4327,13 +4469,13 @@
+@@ -4327,13 +4473,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -30485,7 +30692,7 @@
')
########################################
-@@ -4531,10 +4673,10 @@
+@@ -4531,10 +4677,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -30498,7 +30705,7 @@
')
########################################
-@@ -4551,10 +4693,10 @@
+@@ -4551,10 +4697,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -30511,7 +30718,7 @@
')
########################################
-@@ -4569,10 +4711,10 @@
+@@ -4569,10 +4715,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -30524,7 +30731,7 @@
')
########################################
-@@ -4588,10 +4730,10 @@
+@@ -4588,10 +4734,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -30537,7 +30744,7 @@
')
########################################
-@@ -4606,10 +4748,10 @@
+@@ -4606,10 +4752,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -30550,7 +30757,7 @@
')
########################################
-@@ -4625,10 +4767,10 @@
+@@ -4625,10 +4771,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -30563,7 +30770,7 @@
')
########################################
-@@ -4644,12 +4786,11 @@
+@@ -4644,12 +4790,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -30579,7 +30786,7 @@
')
########################################
-@@ -4676,10 +4817,10 @@
+@@ -4676,10 +4821,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -30592,7 +30799,7 @@
')
########################################
-@@ -4694,10 +4835,10 @@
+@@ -4694,10 +4839,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -30605,7 +30812,7 @@
')
########################################
-@@ -4712,13 +4853,13 @@
+@@ -4712,13 +4857,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -30623,7 +30830,7 @@
')
########################################
-@@ -4754,11 +4895,49 @@
+@@ -4754,11 +4899,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -30674,7 +30881,7 @@
')
########################################
-@@ -4778,6 +4957,14 @@
+@@ -4778,6 +4961,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -30689,7 +30896,7 @@
')
########################################
-@@ -4839,6 +5026,26 @@
+@@ -4839,6 +5030,26 @@
########################################
## <summary>
@@ -30716,7 +30923,7 @@
## Create, read, write, and delete all directories
## in all users home directories.
## </summary>
-@@ -4859,6 +5066,25 @@
+@@ -4859,6 +5070,25 @@
########################################
## <summary>
@@ -30742,7 +30949,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4879,6 +5105,26 @@
+@@ -4879,6 +5109,26 @@
########################################
## <summary>
@@ -30769,7 +30976,7 @@
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5115,7 +5361,7 @@
+@@ -5115,7 +5365,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -30778,7 +30985,7 @@
')
files_search_home($1)
-@@ -5304,6 +5550,50 @@
+@@ -5304,6 +5554,50 @@
########################################
## <summary>
@@ -30829,7 +31036,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5509,6 +5799,42 @@
+@@ -5509,6 +5803,42 @@
########################################
## <summary>
@@ -30872,7 +31079,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5674,6 +6000,42 @@
+@@ -5674,6 +6004,42 @@
########################################
## <summary>
@@ -30915,7 +31122,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5704,3 +6066,368 @@
+@@ -5704,3 +6070,368 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.622
retrieving revision 1.623
diff -u -r1.622 -r1.623
--- selinux-policy.spec 28 Feb 2008 21:51:10 -0000 1.622
+++ selinux-policy.spec 29 Feb 2008 22:13:08 -0000 1.623
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -388,8 +388,8 @@
%endif
%changelog
-* Thu Feb 28 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-7
--
+* Thu Feb 28 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-8
+- Change httpd_$1_script_r*_t to httpd_$1_content_r*_t
* Wed Feb 27 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-6
- Prepare policy for beta release
- Previous message (by thread): rpms/e2fsprogs/devel e2fsprogs-1.40.7-swap-inode-full-fix.patch, NONE, 1.1 e2fsprogs.spec, 1.103, 1.104
- Next message (by thread): rpms/frysk/F-8 .cvsignore, 1.49, 1.50 frysk.spec, 1.123, 1.124 sources, 1.49, 1.50 frysk-0.0.1.2008.01.18.rh1-line-npe.patch, 1.1, NONE frysk-0.0.1.2008.01.18.rh1-no-sysroot.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list